Note that the Admin REST API is not accessible from the clients directly.
To allow users to sign up, it is recommended to have an app server sitting alongside Sync Gateway that performs the user validation, creates a new user on the Sync Gateway admin port and then returns the response to the application.

Configuration file: user credentials are hardcoded in the configuration. This method is convenient for testing but we generally recommend to use the Admin REST API in a Sync Gateway deployment.

Basic Authentication

Once the user has been created on Sync Gateway, you can provide the same username/password to the BasicAuthenticator class of Couchbase Lite.
Under the hood, the replicator will send the credentials in the first request to retrieve a SyncGatewaySession cookie and use it for all subsequent requests during the replication.
This is the recommended way of using basic authentication.

Custom Authentication

It’s possible for an application server associated with a remote Couchbase Sync Gateway to provide its own custom form of authentication.
Generally this will involve a particular URL that the app needs to post some form of credentials to; the App Server will verify those, then tell the Sync Gateway to create a new session for the corresponding user, and return session credentials in its response to the client app.

The following diagram shows an example architecture to support Google SignIn in a Couchbase Mobile application, the client sends an access token to the App Server where a server side validation is done with the Google API and a corresponding Sync Gateway user is then created if it’s the first time the user logs in.
The last request creates a session:

Given a user has already been created, the request to create a new session for that user name is the following:

OpenID Connect

Sync Gateway supports OpenID Connect.
This allows your application to use Couchbase for data synchronization and delegate the authentication to a 3rd party server (known as the Provider). There are two implementation methods available with OpenID Connect:

Implicit Flow: with this method, the retrieval of the ID token takes place on the device. You can then create a user session using the POST /+{db}+/_session endpoint on the Public REST API with the ID token.

Implicit Flow

Implicit Flow has the key feature of allowing clients to obtain their own Open ID token and use it to authenticate against Sync Gateway.
The implicit flow with Sync Gateway is as follows:

The client obtains a signed Open ID token directly from an OpenID Connect provider. Note that only signed tokens are supported. To verify that the Open ID token being sent is indeed signed, you can use the jwt.io Debugger. In the algorithm dropdown, make sure to select RS256 as the signing algorithm (other options such as HS256 are not yet supported by Sync Gateway).

The client includes the Open ID token as an Authorization: Bearer <id_token> header on requests made against the Sync Gateway REST API.

Sync Gateway matches the token to a provider in its configuration file based on the issuer and audience in the token.

Sync Gateway validates the token, based on the provider definition.

Upon successful validation, Sync Gateway authenticates the user based on the subject and issuer in the token.

Since Open ID tokens are typically large, the usual approach is to use the Open ID token to obtain a Sync Gateway session id (using the POST /db/_session endpoint), and then use the returned session id for subsequent authentication requests.

Here is a sample Sync Gateway config file, configured to use the Implicit Flow.

Client Authentication

With the implicit flow, the mechanism to refresh the token and Sync Gateway session must be handled in the application code.
On launch, the application should check if the token has expired.
If it has then you must request a new token (Google SignIn for iOS has a method called signInSilently for this purpose). By doing this, the application can then use the token to create a Sync Gateway session.

The Google SignIn SDK prompts the user to login and if successful it returns an ID token to the application.

The ID token is used to create a Sync Gateway session by sending a POST /+{db}+/_session request.

Sync Gateway returns a cookie session in the response header.

The Sync Gateway cookie session is used on the replicator object.

Sync Gateway sessions also have an expiration date.
The replication lastError property will return a 401 Unauthorized when it’s the case and then the application must retrieve create a new Sync Gateway session and set the new cookie on the replicator.

You can configure your application for Google SignIn by following this guide.

Authorization Code Flow

Whilst Sync Gateway supports Authorization Code Flow, there is considerable work involved to implement the Authorization Code Flow on the client side.
Couchbase Lite 1.x has an API to hide this complexity called OpenIDConnectAuthenticator but since it is not available in the 2.0 API we recommend to use the Implicit Flow.